From 1aef75e94dcfcf3378e8c34c4557cae87de63f83 Mon Sep 17 00:00:00 2001
From: Matt Dean <matt.dean3@nhs.net>
Date: Tue, 28 Oct 2025 16:12:29 +0000
Subject: [PATCH 1/3] [NRL-1739] Add automatic scheduled updates for Window
 PowerBI GW instances

---
 .../modules/powerbi-gw-ec2/ec2.tf             | 62 ++++++++++++++++++-
 .../modules/powerbi-gw-ec2/locals.tf          |  3 +-
 2 files changed, 63 insertions(+), 2 deletions(-)

diff --git a/terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/ec2.tf b/terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/ec2.tf
index eb106e8fc..a81dcb5e0 100644
--- a/terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/ec2.tf
+++ b/terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/ec2.tf
@@ -15,11 +15,71 @@ resource "aws_instance" "powerbi_gw" {
   user_data = file("${path.module}/scripts/user_data.tpl")
 
   tags = {
-    Name = "${var.name_prefix}-ec2"
+    Name       = "${var.name_prefix}-ec2"
+    PatchGroup = local.windows_patching_tag
   }
 
 }
 
+resource "aws_ssm_maintenance_window" "updates" {
+  name     = "windows-updates"
+  schedule = "cron(0 2 ? * SUN *)" # Sunday 2am UTC
+  duration = 3
+  cutoff   = 1
+}
+
+resource "aws_ssm_maintenance_window_target" "windows_instances" {
+  window_id     = aws_ssm_maintenance_window.updates.id
+  resource_type = "INSTANCE"
+
+  targets {
+    key    = "tag:PatchGroup"
+    values = [local.windows_patching_tag]
+  }
+}
+
+resource "aws_ssm_maintenance_window_task" "patch_task" {
+  window_id        = aws_ssm_maintenance_window.updates.id
+  task_type        = "RUN_COMMAND"
+  task_arn         = "AWS-RunPatchBaseline"
+  priority         = 1
+  service_role_arn = aws_iam_role.maintenance_window_role.arn
+
+  targets {
+    key    = "WindowTargetIds"
+    values = [aws_ssm_maintenance_window_target.windows_instances.id]
+  }
+
+  task_invocation_parameters {
+    run_command_parameters {
+      parameter {
+        name   = "Operation"
+        values = ["Install"]
+      }
+    }
+  }
+}
+
+resource "aws_iam_role" "maintenance_window_role" {
+  name = "maintenance-window-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        Service = "ssm.amazonaws.com"
+      }
+    }]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "maintenance_window_policy" {
+  role       = aws_iam_role.maintenance_window_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonSSMMaintenanceWindowRole"
+}
+
 resource "tls_private_key" "instance_key_pair" {
   algorithm = "RSA"
 }
diff --git a/terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/locals.tf b/terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/locals.tf
index 01ea149af..f05d21368 100644
--- a/terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/locals.tf
+++ b/terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/locals.tf
@@ -1,3 +1,4 @@
 locals {
-  selected_ami_id = var.use_custom_ami ? data.aws_ami.PowerBI_Gateway[0].id : data.aws_ami.windows-2019.id
+  selected_ami_id      = var.use_custom_ami ? data.aws_ami.PowerBI_Gateway[0].id : data.aws_ami.windows-2019.id
+  windows_patching_tag = "windows_scheduled_patching"
 }

From e1a3c6edd42243a5aa1c7ac82c852c8b3a6dd9ea Mon Sep 17 00:00:00 2001
From: Matt Dean <matt.dean3@nhs.net>
Date: Tue, 28 Oct 2025 16:17:39 +0000
Subject: [PATCH 2/3] [NRL-1739] Add max errors and max concurrency to patch
 task

---
 .../account-wide-infrastructure/modules/powerbi-gw-ec2/ec2.tf   | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/ec2.tf b/terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/ec2.tf
index a81dcb5e0..ca2126165 100644
--- a/terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/ec2.tf
+++ b/terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/ec2.tf
@@ -43,6 +43,8 @@ resource "aws_ssm_maintenance_window_task" "patch_task" {
   task_type        = "RUN_COMMAND"
   task_arn         = "AWS-RunPatchBaseline"
   priority         = 1
+  max_concurrency  = 1
+  max_errors       = 1
   service_role_arn = aws_iam_role.maintenance_window_role.arn
 
   targets {

From e2325fa4a17c665f6f68e1c467c6e64f600d293e Mon Sep 17 00:00:00 2001
From: mattdean3-nhs <matt.dean3@nhs.net>
Date: Thu, 30 Oct 2025 16:47:59 +0000
Subject: [PATCH 3/3] Switch windows update schedule to run on Mondays at 2AM

Co-authored-by: katebobyn-nhs <101277966+katebobyn-nhs@users.noreply.github.com>
---
 .../account-wide-infrastructure/modules/powerbi-gw-ec2/ec2.tf   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/ec2.tf b/terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/ec2.tf
index ca2126165..39b80276d 100644
--- a/terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/ec2.tf
+++ b/terraform/account-wide-infrastructure/modules/powerbi-gw-ec2/ec2.tf
@@ -23,7 +23,7 @@ resource "aws_instance" "powerbi_gw" {
 
 resource "aws_ssm_maintenance_window" "updates" {
   name     = "windows-updates"
-  schedule = "cron(0 2 ? * SUN *)" # Sunday 2am UTC
+  schedule = "cron(0 2 ? * MON *)" # Monday 2am UTC
   duration = 3
   cutoff   = 1
 }